How difficult is it to break the OpenPGP 40 character long fingerprint?

Niels Laukens niels at
Tue Apr 2 09:08:33 CEST 2013

On 2013-04-01 22:58, Robert J. Hansen wrote:
> On 04/01/2013 12:24 PM, adrelanos wrote:
>> How difficult, i.e. how much computing power and time is required to
>> create a key, which matches the very same fingerprint?
>> Isn't 40 chars a bit weak?
> (Nothing I am writing here is sarcastic or non-factual.)
> At present, the only way to do a preimage attack on SHA-1 (as opposed to
> a random collision) is brute-force, so about 2**159 operations.  If
> you've got a PC that operates at the thermodynamic limits of the
> universe and can compute a SHA-1 hash in only 1000 bitflips, and you
> want to achieve this collision within the space of a year, then you're
> looking at needing to use about 100 exatons or more of energy.

Or put another way:
If you're running a computer at 3.2K (ambient universe temperature,
anything below that would require additional energy to cool it), a
bit-flip requires 4.41E-23 Joules of energy.

According to Wikipedia, the world produces "only" 20 279 640 GWh of
elecrical power per year = 7.3E19 Joules. This is enough to count
through a 139-bit counter. Only count through, not even do any
calculations with it!

More information about the Gnupg-users mailing list